– [Configure and Use Secret Scanning]
What is the first step you should take to fix an alert in secret scanning?
C
Explanation:
The first step when you receive a secret scanning alert is to revoke the secret if it is still valid. This
ensures the secret can no longer be used maliciously. Only after revoking it should you proceed to
remove it from the code history and apply other mitigation steps.
Simply deleting the secret from the code does not remove the risk if it hasn’t been revoked —
especially since it may already be exposed in commit history.
Reference: GitHub Docs – About secret scanning alerts; Remediating a secret scanning alert
– [Configure and Use Dependency Management]
A dependency has a known vulnerability. What does the warning message include?
D
Explanation:
When a vulnerability is detected, GitHub shows a warning that includes a brief description of the
vulnerability. This typically covers the name of the CVE (if available), a short summary of the issue,
severity level, and potential impact. The message also links to additional advisory data from the
GitHub Advisory Database.
This helps developers understand the context and urgency of the vulnerability before applying the
fix.
Reference: GitHub Docs – About Dependabot alerts; Reviewing and managing alerts
– [Configure and Use Dependency Management]
Assuming that notification and alert recipients are not customized, what does GitHub do when it
identifies a vulnerable dependency in a repository where Dependabot alerts are enabled? (Each
answer presents part of the solution. Choose two.)
A, B
Explanation:
Comprehensive and Detailed Explanation:
When GitHub identifies a vulnerable dependency in a repository with Dependabot alerts enabled, it
performs the following actions:
Generates a Dependabot alert: The alert is displayed on the repository's Security tab, providing
details about the vulnerability and affected dependency.
Notifies repository maintainers: By default, GitHub notifies users with write, maintain, or admin
permissions about new Dependabot alerts.
GitHub Docs
These actions ensure that responsible parties are informed promptly to address the vulnerability.
Reference: GitHub Docs – About Dependabot alerts; Configuring notifications for Dependabot alerts
– [Configure and Use Secret Scanning]
What do you need to do before you can define a custom pattern for a repository?
C
Explanation:
Comprehensive and Detailed Explanation:
Before defining a custom pattern for secret scanning in a repository, you must enable secret scanning
for that repository. Secret scanning must be active to utilize custom patterns, which allow you to
define specific formats (using regular expressions) for secrets unique to your organization.
Once secret scanning is enabled, you can add custom patterns to detect and prevent the exposure of
sensitive information tailored to your needs.
Reference: GitHub Docs – Managing alerts from secret scanning
– [Configure and Use Dependency Management]
Assuming that no custom Dependabot behavior is configured, who has the ability to merge a pull
request created via Dependabot security updates?
B
Explanation:
Comprehensive and Detailed Explanation:
By default, users with write access to a repository have the ability to merge pull requests, including
those created by Dependabot for security updates. This access level allows contributors to manage
and integrate changes, ensuring that vulnerabilities are addressed promptly.
Users with only read access cannot merge pull requests, and enterprise administrators do not
automatically have merge rights unless they have write or higher permissions on the specific
repository.
Reference: GitHub Docs – About Dependabot security updates; Configuring Dependabot security
updates
– [Configure and Use Code Scanning]
Who can fix a code scanning alert on a private repository?
C
Explanation:
Comprehensive and Detailed Explanation:
In private repositories, users with write access can fix code scanning alerts. They can do this by
committing changes that address the issues identified by the code scanning tools. This level of access
ensures that only trusted contributors can modify the code to resolve potential security
vulnerabilities.
GitHub Docs
Users with read or triage roles do not have the necessary permissions to make code changes, and the
security manager role is primarily focused on managing security settings rather than directly
modifying code.
Reference: GitHub Docs – Resolving code scanning alerts
GitHub Docs
– [Describe the GHAS Security Features and Functionality]
Which of the following information can be found in a repository's Security tab?
A
Explanation:
The Security tab in a GitHub repository provides a central location for viewing security-related
information, especially when GitHub Advanced Security is enabled. The following can be accessed:
Number of alerts related to:
Code scanning
Secret scanning
Dependency (Dependabot) alerts
Summary and visibility into open, closed, and dismissed security issues.
It does not show 2FA options, access control settings, or configuration panels for GHAS itself. Those
belong to account or organization-level settings.
Reference: GitHub Docs – Managing security and analysis settings for your repository
– [Configure and Use Secret Scanning]
How many alerts are created when two instances of the same secret value are in the same
repository?
A
Explanation:
When multiple instances of the same secret value appear in a repository, only one alert is generated.
Secret scanning works by identifying exposed credentials and token patterns, and it groups identical
matches into a single alert to reduce noise and avoid duplication.
This makes triaging easier and helps teams focus on remediating the actual exposed credential
rather than reviewing multiple redundant alerts.
Reference: GitHub Docs – About secret scanning alerts
– [Configure and Use Secret Scanning]
What happens when you enable secret scanning on a private repository?
C
Explanation:
When secret scanning is enabled on a private repository, GitHub performs a read-only analysis of the
repository's contents. This includes the entire Git history and files to identify strings that match
known secret patterns or custom-defined patterns.
GitHub does not alter the repository, and enabling secret scanning does not automatically enable
code scanning or dependency review — each must be configured separately.
Reference: GitHub Docs – Managing secret scanning for repositories
– [Configure and Use Dependency Management]
You have enabled security updates for a repository. When does GitHub mark a Dependabot alert as
resolved for that repository?
D
Explanation:
A Dependabot alert is marked as resolved only after the related pull request is merged into the
repository. This indicates that the vulnerable dependency has been officially replaced with a secure
version in the active codebase.
Simply generating a PR or passing checks does not change the alert status; merging is the key step.
Reference: GitHub Docs – About Dependabot security updates; Managing Dependabot alerts